From 660496551b50d47cbd9c14a5c8fae1faf60bfc70 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Tue, 10 Sep 2019 04:59:08 +0800 Subject: [PATCH] Update README.md and README-CN.md --- README-CN.md | 26 +++++++++++++++++++------- README.md | 29 +++++++++++++---------------- 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/README-CN.md b/README-CN.md index 0d7d273..aaded34 100644 --- a/README-CN.md +++ b/README-CN.md @@ -151,7 +151,8 @@ EXCEPTIONS="" 4) 设置基本的iptables防火墙规则 根据实现场景进行防火墙规则的配置,可参考HardenedLinux社区归纳的基于Debian GNU/Linux的防火墙规则的基本规则: [etc.iptables.rules.v4.sh](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.iptables.rules.v4.sh) -执行如下的命令进行部署: + +基于iptables的部署: ``` $ INTERFACENAME="your network interfacename(Example eth0)" $ sudo bash docs/configurations/etc.iptables.rules.v4.sh $INTERFACENAME @@ -159,25 +160,36 @@ $ sudo -s # iptables-save > /etc/iptables/rules.v4 # ip6tables-save > /etc/iptables/rules.v6 ``` +基于nft的部署: +按照以下命令修改nftables.conf(你的对外网口的名称,例如:eth0): +``` +$ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf +$ sudo nft -f ./etc.nftables.conf +``` 5) 使用passwd命令改变所有用户的密码,以满足pam_cracklib模块配置的密码复杂度及健壮性。 -6) 必须在第一次修复应用后进行修复的项 +## 特别注意 + +### 必须在第一次修复应用后进行修复的项 ``` 8.1.32 因为此项一旦设置,审计规则将不能够再进行添加。 ``` -7) 必须在所有项都修复应用后进行修复的项 +### 必须在所有项都修复应用后进行修复的项 ``` 8.4.1 8.4.2 这都是与aide检测文件完整性相关的项,最好是在所有项都修复好后再进行修复,以修复好的系统中的文件进行完整性的数据库的初始化。 ``` - -## 特别注意 -一些检查项需要依赖多次修复,且操作系统需要多次重启。需要进行两次修复的项有: +### 一些检查项需要依赖多次修复,且操作系统需要多次重启 +#### 需要进行两次修复的项 +``` 8.1.1.2 8.1.1.3 8.1.12 +``` -需要修复3次的项: +#### 需要修复3次的项 +``` 4.5 +``` ## 玩(如何添加检查项) diff --git a/README.md b/README.md index 02ece24..4ef7d53 100644 --- a/README.md +++ b/README.md @@ -175,18 +175,6 @@ $ sudo -s # ip6tables-save > /etc/iptables/rules.v6 ``` -5) Use the passwd command to change the passwords of all users to apply the password complexity and robustness of the pam_cracklib module configuration. - -6) Items that must be applied after the first application(reboot after is better) -``` -8.1.32 Because this item is set, the audit rules will not be added. -``` - -7) Items that must be applied after all application is ok -``` -8.4.1 8.4.2 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. -``` - ### nft format rules: [nftables.conf](https://github.com/hardenedlinux/harbian-audit/blob/master/docs/configurations/etc.nftables.conf) to do the following(your network interfacename(Example eth0)): @@ -194,18 +182,27 @@ to do the following(your network interfacename(Example eth0)): $ sed -i 's/^define int_if = ens33/define int_if = eth0/g' etc.nftables.conf $ sudo nft -f ./etc.nftables.conf ``` - -5) Use the passwd command to change the passwords of all users, and change the password to a secure and reliable password entry with the same password complexity set by the pam_cracklib module. +5) Use the passwd command to change the passwords of all users to apply the password complexity and robustness of the pam_cracklib module configuration. ## Special Note Some check items check a variety of situations and are interdependent, they must be applied (fix) multiple times, and the OS must be a reboot after each applies (fix). -Items that need to be fix twice: +### Items that must be applied after the first application(reboot after is better) +``` +8.1.32 Because this item is set, the audit rules will not be added. +``` + +### Items that must be applied after all application is ok +``` +8.4.1 8.4.2 These are all related to the aide. It is best to fix all the items after they have been fixed to fix the integrity of the database in the system. +``` + +### Items that need to be fix twice 8.1.1.2 8.1.1.3 8.1.12 -Items that need to be fix three times: +### Items that need to be fix three times: 4.5 ## Hacking